Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

CVE-2022-29182: Releases - Version notes | GoCD

GoCD is a continuous delivery server. GoCD versions 19.11.0 through 21.4.0 (inclusive) are vulnerable to a Document Object Model (DOM)-based cross-site scripting attack via a pipeline run's Stage Details > Graphs tab. It is possible for a malicious script on a attacker-hosted site to execute script that will run within the user's browser context and GoCD session via abuse of a messaging channel used for communication between with the parent page and the stage details graph's iframe. This could allow an attacker to steal a GoCD user's session cookies and/or execute malicious code in the user's context. This issue is fixed in GoCD 22.1.0. There are currently no known workarounds.

CVE
#sql#xss#csrf#vulnerability#web#mac#windows#google#microsoft#amazon#ubuntu#linux#debian#apache#nodejs#js#git#java#oracle#kubernetes#rce#perl#ldap#aws#log4j#oauth#auth#ssh#dell#ruby#rpm#postgres#docker#bitbucket#chrome#gradle#maven#ssl
CVE-2021-39043: IBM Jazz Team Server cross-site scripting CVE-2021-39043 Vulnerability Report

IBM Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 214032.

CVE-2021-43729: Hunting for Vulnerabilities in Low-Cost WiFi Repeaters

Pix-Link MiNi Router 28K.MiniRouter.20190211 was discovered to contain a stored cross-site scripting (XSS) vulnerability due to an unsanitized Security Key parameter.

CVE-2022-25227: Proton v0.2.0 - XSS To RCE | Fluid Attacks

Thinfinity VNC v4.0.0.1 contains a Cross-Origin Resource Sharing (CORS) vulnerability which can allow an unprivileged remote attacker, if they can trick a user into browse malicious site, to obtain an 'ID' that can be used to send websocket requests and achieve RCE.

CVE-2022-25229: Popcorn Time 0.4.7 - XSS to RCE | Fluid Attacks

Popcorn Time 0.4.7 has a Stored XSS in the 'Movies API Server(s)'' field via the 'settings' page. The 'nodeIntegration' configuration is set to on which allows the webpage to use 'NodeJs' features, an attacker can leverage this to run OS commands.

CVE-2022-1806: Reflected XSS in rtx

Cross-site Scripting (XSS) - Reflected in GitHub repository rtxteam/rtx prior to checkpoint_2022-05-18.

CVE-2022-28985: Stored XSS in "Update Status" section under "OrangeBuzz" via the GET/POST parameters `createPost[linkTitle]` and `createPost[linkAddress]` · Issue #1217 · orangehrm/orangehrm

A stored cross-site scripting (XSS) vulnerability in the addNewPost component of OrangeHRM v4.10.1 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request.

CVE-2022-29652: Online Sports Complex Booking System 1.0 Cross Site Scripting ≈ Packet Storm

Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via /scbs/classes/Users.php?f=save_client.